Vulnerable Plugins
Eleven disclosures since last week, with one critical unfixed. KingComposer has an Arbitrary File Upload vulnerability in its current version. You should remove the plugin until the author has fixed the issue.
View this week's vulnerable plugins list.
Other WordPress News
Version 4.9.6 of WordPress was released yesterday. While many (myself included) assumed this was going to be a maintenance release based on its version number, it's much closer to a feature release than a maintenance release. For now it's appearing as an update in the dashboard and is not autoupdating (at least not on any of the sites I've seen). This is good since you will want to ensure that none of the newly added features break your current configuration. However, from what I understand, the core team will eventually enable this release for autoupdates, so if you are worried about it breaking your site, you'll need to begin testing sooner rather than later.